• Home
  • Blog
  • Creating a BYOD policy? 8 Points Every Policy Must Contain
coffee-shop

May 12, 2017

Creating a well-considered BYOD policy (Bring Your Device) for your organisation’s employee-owned mobile devices is now more critical than ever. Full-time and temporary employees, contractors and other stakeholders possess an array of powerful smartphones and tablet devices, frequently used as a preference to corporate laptops and desktop PCs.

With the increased frequency of cyber attacks (and the resulting data loss), increased compliance requirements from GDPR, and the need to protect PII (Personal Identifiable Information), taking control of BYOD is more important than ever.

BYOD

When it comes to your company’s data, there can be no ambiguity. You must keep all information safe. The best way to do that is to create a policy that prioritises data security and provides clear, unambiguous guidance to answer all the relevant questions.

Employees of all computer literacy levels should understand a well-crafted BYOD policy, so they will have a clear idea of what they can and cannot do. But what are all these questions?

To make things simple, we’ve compiled this handy list of 8 things every BYOD policy must contain, which are:

  1. An Introduction
  2. List of Permitted Devices
  3. BYOD Security Policy
  4. Data Ownership
  5. Required, Permitted or Prohibited Apps
  6. Acceptable Use
  7. Device Decommissioning
  8. Disclaimer

1. Introduction

As with any policy, it is important to introduce the intended use, key framework guidelines, and any limitations and terms of use. In particular, you should also introduce current threats to data security, risks of loss of corporate information, and the consequences to both the employee and the organisation.

Understanding the importance of, as well as the reasons for, the policy will maximise employee buy-in.

2. List of Permitted Devices (Hardware & Firmware)

Today, personal mobile devices are limited to smartphones, tablet devices, and laptops. With such a wide variety of hardware and firmware available, it is important to specify the supported devices, to ensure only secure and supported firmware is in use (e.g. Android KitKat v4.4.4 or later) and limit the management and administrative workload.

Hardware and firmware outside of the supported devices should not be permitted. You wouldn’t allow a Windows XP machine, or even a Windows 7 laptop with unpatched critical security updates, onto your network, so why would you have a different policy for mobile devices?

Android mobile device hardware

3. BYOD Security Policy

An effective BYOD security policy is essential for securing your mobile environment and should require (but not be limited to):

Enrolment in the MDM Platform

  • Without an effective mobile device management (MDM) platform, you have no method of policy management and security oversight - your devices and users are outside of your control. Swift enrolment to the corporate MDM platform ensures you can enforce your BYOD policy, control undesirable behaviour and minimise mobile security threats.

Installation of Supported Security Software

  • Additional protection is advised to protect devices from malware, malicious apps, or data loss, whether accidental or caused by rogue user behaviour.

Screen Lock Password Protection

  • You would have to call it negligent not to mandate and enforce the most basic of security protections. Screen lock passwords provide high security protection to prevent data loss from lost or stolen devices. All MDM platforms will provide comprehensive security management features to maintain device integrity.

Secure Connection Methods (VPN)

  • Device-level VPN connections between the device and the corporate network should be mandated as standard, while application-level VPN connections ensure secure data transmissions.

Device Firmware To Be Regularly Updated and Patched

  • To help protect from mobile security threats, you should require and enforce the update of device firmware to fix security vulnerabilities. This can be implemented, deployed and managed via your MDM platform.

Periodic User Re-authentication

  • In addition to being a good security practice, periodic re-authentication maintains device integrity and user authenticity. It is advised to re-authenticate regularly after a set period.

Separation Between Corporate and Personal Data

  • With BYOD, corporate and personal data are stored on the same device. Data separation is required first for corporate data security purposes and second for effective management, as corporate data must be wiped from the device when an employee leaves the organisation. Data separation is achieved through good data management processes and policy enforcement.

Encryption of Corporate Data

  • All data should be encrypted to maintain security if a device is compromised. Some MDM platforms, such as IBM’s MaaS360, include a secure, encrypted container for the most sensitive corporate documents.

Blocking of Offline Access to Secure Corporate Documents

  • Permitting offline access to sensitive corporate documents would provide access to documents and data, whether downloaded or cached. Only permit access to sensitive data when connected to the corporate network.

Blocking of Jailbroken and Compromised Devices

  • Jailbroken and rooted devices pose a high security risk, exposing them to security vulnerabilities, such as malware, viruses, hacks, etc.

Young-Man-in-Shirt-Using-mobile-Phone

4. Data Ownership

Any company data remains the property of the organisation. You should retain the right to wipe devices on the network, though it is advisable to guide users on backing up personal data. An effective MDM platform can separate company and personal data in a secure container.

5. Specify Required, Permitted or Prohibited Apps

This will partly depend on policy and the risk profile of the organisation and the employee. With malware-infected mobile apps on the rise, it is important to exercise a degree of control.

6. Acceptable use

Although broadly forming part of your general IT policy, there are specific requirements of a BYOD acceptable use policy to ensure that employees are not accessing undesirable or illegal content or disseminating material while using the corporate VPN. You should therefore consider what monitoring tools are in place to enforce such policies.

7. Device Decommissioning

Employees leave, devices are lost or stolen. How do you remove access to e-mail or wipe and remove data and other proprietary applications and information? Having a clear methodology to maintain data security and compliance is important, as it retains the right to remotely wipe data if an employee has not made arrangements with IT or if personal devices are lost.

8. Disclaimer (With Signature Section)

There should, be a place,e for the employee to sign and agree to all these terms, before device enrolment by your IT team.

Device Monitoring and Policy Enforcement

So, you’ve set up your policy, but how do you manage your devices and ensure your policy is enforced and data integrity is maintained?

With the ever-increasing power and popularity of tablets and smartphones, more and more sensitive data is being accessed anywhere. Managing and securing your mobile fleet is today’s critical challenge.

By clicking Subscribe, you agree to the use of your personal data in accordance with CyberOne’s Privacy Policy and to receive other relevant communications from CyberOne. You can unsubscribe from our communications at any time. For information about o commitment to protecting your privacy, please review our Privacy Policy.

Subscribe to the latest Cyber Security News & Updates
Security
Azure-Infra
microsoft Modern Work
NCSC
Company
Headquarters & UK SOC

Rockingham Drive, Linford Wood, Milton Keynes, MK14 6LY

London

The Shard, 32 London Bridge St, London, SE1 9SG

©2005-2025 CyberOne Limited.
Registered in England and Wales.
VAT Registration No: 881278202 | Company Registration No: 05585059.
Registered Office: Suite 6, Linford Forum, Rockingham Drive, Linford Wood, Milton Keynes, Buckinghamshire, MK14 6LY.